Security indication spanning tree system and method

ABSTRACT

A security indication spanning tree system and method is presented. In one embodiment the asset value of a network node is determined. The exposure rating of said network node is ascertained. The impact risk to a preferred functionality due to an attack from another network node is analyzed. A spanning tree schematic of a network including the network node is created, wherein the spanning tree schematic includes an indication of the asset value.

FIELD OF THE INVENTION

The present invention relates to security. More particularly, thepresent invention relates to a system and method for creating a securityindication spanning tree.

BACKGROUND OF THE INVENTION

Electronic systems and circuits have made a significant contributiontowards the advancement of modern society and are utilized in a numberof applications to achieve advantageous results. Numerous electronictechnologies such as digital computers, calculators, audio devices,video equipment, and telephone systems have facilitated increasedproductivity and reduced costs in analyzing and communicating data,ideas and trends in most areas of business, science, education andentertainment. Frequently, electronic systems designed to provide theseadvantageous results are realized through the use of networked resourcesthat facilitate leveraged use of centralized utility and data resourcesby distributed components. While the leveraged utilization of thecentralized resources is advantageous, organization and maintenance ofthe centralized resources is usually very complex and often susceptibleto the spread of detrimental intrusive attacks.

Centralizing certain resources within a distributed network typicallyprovides desirable benefits. For example, centrally storing and/orprocessing information typically reduces wasteful duplicative storageand/or processing resources at each remote networked system. In additionto increasing efficiency, the functions provided and supported bycentralized resources typically have significant economic value. Theever increasing demand for centralized type services is largelyattributable to the ever growing cost of specialized informationtechnology services and the increasing complexity of managing missioncritical Enterprise and Internet applications. Interruptions in servicesand support for important applications implemented by the centralizedresources due to intrusive attacks can be very costly. In supportingdesirable flexibility and extensibility, centralizing resources caninvolve handling diverse applications, architectures and topologies(e.g., associated with a multi-vendor environment). Managing theinfrastructure of a large and complicated centralized networked resourceenvironment and protecting the resources from intrusive attacks raisesmany challenging operational issues.

Providing security for important centralized network assets is usuallyvery important and also often complex. Offering ubiquitous access to adiverse set of centralized resources introduces challenges associatedwith protecting the centralized resources from intrusive attacks (e.g.,that can detrimentally affect service quality). Modern networks can bevery extensive and typically include numerous potential points of attackfor intrusion. If an attack is able to “infiltrate” or overcome securitymeasures at a particular point there is often an opportunity for theattack to spread rapidly and relatively unimpeded throughout a network.The devices in a network can be configured or associated to providefunctionality and/or service for a variety of applications. Attacksdirected to a single device or aspect of a network can be very harmful.The spread of the attack or intrusion throughout a network internally toimpact applications implemented on and/or supported by the network canbe devastating.

Intrusion attempts directed towards centralized resources are usuallyinitially directed at penetrating from a single point or device and thento spread from that device to other devices in a centralized resourcenetwork or “internal” network. Traditional intrusion protection systemstypically focus on preventing the initial breach of an individualcomponent from devices outside internal networks. For example, a hostintrusion detection system (HIDS) usually tries to detect intrusion on ahost. A HIDS is usually limited to sensing very localized events andoften only detects events on a particular host system and no where else.Another example of security system is a network intrusion detectionsystem (NIDS). The NIDS usually tries to detect intrusions directed attraffic on a network segment. For example, NIDS are usually limited tosniffing network traffic at individual switching points. While NIDS mayoften be deployed to service a rather significant part of a network, itis usually limited to deployment at individual network egress points.While traditional intrusion protection often provides an initial line ofdefense or intrusion protection, breaching individual component securitymeasures often occurs at an undesirable rate.

The most significant damage resulting from an intrusive attack on acomponent of a network usually occurs as a result of an intrusive attackspreading throughout the network. For example, an attack may beinitially directed towards a relatively unimportant and/or unprotectedcomponent of a network. In and of itself the initial attack on a “weak”component may have little or no practical affect on the performance andfunctionality of the components in supporting various applications andsystems, including important applications and systems. This may even bea reason for not expending security protection resources to protect thecomponent. However, if the attack spreads from the “weak” component to amore critical component (e.g., a component that provides significantfunctionality for supporting important applications and systems), itcould have a very significant affect on crucial performance andfunctional support. Even if significant resources are expended toprotect the important component from attacks outside the network, theyare essentially wasted if the component is susceptible to attacks fromother components within the network. This is a significant considerationsince once an initial breach is made, attacks typically spread intraditional systems and networks with little or no opposition.

Identifying devices in a centralized resource network or internalnetwork that support important applications and are relatively moresusceptible to attack internally is often complicated. Traditionalattempts at preventing the spread of an attack usually involves manualcoordination and analysis of individual alarms and potential impact onother devices in a system. Prior attempts at stopping the spread of anattack are usually laborious and often requires a significant level ofknowledge and expertise on the priority of different applications andthe functionality particular network components contribute to theapplications. The complexity of a network and the numerous differentapplications and/or systems that rely on a component can also increasesusceptibility to flaws associated with human error, which tends toincrease when attempting to identify the important and susceptibleinternal centralized resources during an intrusive attack.

SUMMARY OF THE INVENTION

A security indication spanning tree system and method is presented. Inone embodiment the asset value of a network node is determined. Theexposure rating of said network node is ascertained. The impact risk toa preferred functionality due to an attack from another network node isanalyzed. A spanning tree schematic of a network including the networknode is created, wherein the spanning tree schematic includes anindication of the asset value.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and form a part ofthis specification, illustrate embodiments of the invention by way ofexample and not by way of limitation. The drawings referred to in thisspecification should be understood as not being drawn to scale except ifspecifically noted.

FIG. 1 is a flow chart of a security indication spanning tree method inaccordance with one embodiment of the present invention.

FIG. 2 is a block diagram of an exemplary utility data center (UDC) uponwhich embodiments of the present invention can be implemented.

FIG. 3 is a block diagram of a computer system on which a presentinvention security indication spanning tree system and method can beimplemented.

FIG. 4 is a block diagram of a security indication spanning tree systemin accordance with one embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Reference will now be made in detail to the preferred embodiments of theinvention, examples of which are illustrated in the accompanyingdrawings. While the invention will be described in conjunction with thepreferred embodiments, it will be understood that they are not intendedto limit the invention to these embodiments. On the contrary, theinvention is intended to cover alternatives, modifications andequivalents, which may be included within the spirit and scope of theinvention as defined by the appended claims. Furthermore, in thefollowing detailed description of the present invention, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. However, it is understood thepresent invention may be practiced without these specific details. Inother instances, some readily understood methods, procedures,components, and circuits have not been described in detail as not tounnecessarily obscure aspects of the current invention.

The present invention facilitates flexible consolidation and correlationof potential disruptions to components of a network from internalspreading of an intrusive attack. The present invention is capable ofprioritizing the functionality provided by components and factoring theprioritization into a security threat indication. In one embodiment, aspanning tree representation of a centralized resource network (e.g.,server farm, UDC, etc.) is built with asset value and exposure orconnectivity indicators. In one exemplary implementation the asset valuecorresponds to the economic value of functions provided by a networkcomponent in the support of various applications. The present inventionalso reduces resources required to coordinate and implement an effectivepresentation of a network component susceptibility to an intrusiveattack spreading throughout the component internally.

FIG. 1 is a flow chart of security indication spanning tree method 100in accordance with one embodiment of the present invention. Spanningtree method 100 provides a spanning tree representation of a networkwith potential internal attack indications. The indications can includefactors for susceptibility of a component to attack from othercomponents in the network and importance or impact of a disruption inthe operations of a component with respect to support for variousapplications.

In step 110, the asset value of a network node is determined. In oneembodiment the asset value provides an indication of the economic valueor utility of the functions provided by the network node. In oneexemplary implementation the asset value corresponds to the economicimpact of a disruption to the functionality provided by the networknode. For example, if a disruption in operations to a particular networknode (e.g., due to an intrusion attack) has a high economic impact thenetwork node can be assigned a relatively high asset value indicator(e.g., a value of 9 out of possible 10 maximum). If the disruption inoperations to a particular network node has a moderate economic impactthe network node can be assigned a moderate asset value indicator (e.g.,a value of 5 out of possible 10 maximum). If the disruption inoperations to a particular network node has a low economic impact thenetwork node can be assigned a relatively low asset value indicator(e.g., a value of 2 out of possible 10 maximum).

The exposure rating of the network node is ascertained at step 120. Inone embodiment of the present invention, an exposure rating defines athreshold value corresponding to the connectivity of the network nodewith other network nodes. In one exemplary implementation, each networknode is given an exposure rating value depending upon its “connectivitydistance” (e.g., number of nodes) from a root node (e.g. a root node canbe the node “closest” or directly coupled to an external network), withthe root node having the highest value. The further the network node isfrom the root node the smaller the exposure rating value. The bandwidthof connections between network nodes can also be factored into theexposure rating value. For example, links with high bandwidth canincrease the exposure rating.

With continued reference to FIG. 1, a functional priority risk indicatorfor indicating the likelihood of an attack from another network node isestablished in step 130. The functional priority can be associated withthe economic benefit or utility a particular functionality provides. Inone embodiment of the present invention, an analysis of the functionalpriority risk indicator includes consideration of the importance orvalue of the network node to a preferred functionality and thesusceptibility of the network node to attack. The analysis can utilizethe exposure rating value and the asset value to establish a functionalpriority risk value. For example, the functional priority risk can bedefined by an exposure value of a particular network node plus twice theasset value.

In step 140, a spanning tree schematic of a network including thenetwork node is created, wherein the spanning tree schematic includes anindication of the network node asset value. The spanning tree schematiccan also include an indication of the exposure rating and an indicationof the risk to preferred or high priority functionality. The spanningtree schematic can also provide an indication of the interconnections ofa network node to other network nodes.

The present invention is applicable to centralized resourcescommunicatively coupled to form an “internal” network. For example, the“internal” network can be an organization or corporate network with fewcommunication interfaces to other “external” components and/or networkthereby forming a relatively isolated and distinct “internal” network.In one exemplary implementation centralized resources form a utilitydata center (UDC) communicatively configured in a local area network(LAN).

FIG. 2 is a block diagram of an exemplary utility data center (UDC) 200upon which embodiments of the present invention can be implemented. Inone embodiment, UDC 200 provides open system support for a plurality ofmulti-vendor computing resources. As such, the UDC 200 can providesupport to computing resources that provide a variety of functions(e.g., firewalls) to numerous different systems and applications. In oneembodiment, UDC 200 forms an internal network that is communicativelycoupled to exterior network 299. It is appreciated that UDC 200 caninclude elements in addition to those shown (e.g., more racks,computers, switches and the like), and can also include other elementsnot specifically shown or described herein. Furthermore, the blocksshown by FIG. 2 can be arranged differently than that illustrated, andcan implement additional functions not specifically described herein. Itis also appreciated that a number of components (e.g., utilitycontroller, firewalls, servers, etc.) included in UDC 200 can beimplemented in varying degrees of hardware, firmware and/or software.

In the present embodiment, UDC 200 includes switches 211 through 216,equipment racks 230, 240 and 250 and network operations center 270. Theswitches 211 through 216 are communicatively coupled to each other in aswitch fabric organization. Each equipment rack 230, 240 and 250 includevarious equipment. For example, equipment rack 230 includes computers231 through 233 communicatively coupled to switch 214, equipment rack240 includes computers 241 through 243 communicatively coupled to switch215, and equipment rack 250 includes disk arrays 251 through 254communicatively coupled to switch 216. It is appreciated that theswitches 211 through 216 can be coupled to other equipment (not shown),including computers that are not included in an equipment rack. In thisembodiment, the switches and computer systems are interconnected usingcables or the like. However, wireless connections between devices in UDC200 are also contemplated.

In general, UDC 200 includes a programmable infrastructure that enablesthe virtual connection of selected computing resources as well as theisolation of selected computing resources, thereby enabling security andsegregation of computing resources at varying infrastructure levels. Theresources included in UDC 200 can be dynamically programmed to logicallyreconfigure and “separate” the resources into a number of variousvirtual local area networks (VLANs). In one exemplary implementation,NOC 270 includes server 271 coupled to a user interface 291 and autility database 292.

The NOC 270 provides for overall control over the UDC 200. In oneembodiment, the NOC 270 acts as an interface to the UDC 200 and ismanned by network technicians that monitor the management and allocationof computing resources in the UDC 200. The interface also providesspanning tree schematic information and asset value information for eachcomponent of the spanning tree in a coordinated and organized userfriendly easy to comprehend presentation. The presentation can alsoinclude a exposure rate value for each component and an impact riskindictor for each component of UDC 200. The risk indicator provides anindication of risk to a preferred functionality due to an attack fromanother internal component.

Utility controller database 292 comprises configuration informationpertaining to the various resources in UDC 200, including descriptionsof the configuration, characteristics, and/or features of a component.For example configuration information can include but not necessarily belimited to indications of the types of devices in UDC 200,representations of each VLAN, a network or MAC (media access control)address for the resources of UDC 200, port numbers of the configurablecomponents, VLAN identifiers associated with each of the port numbers,socket identifier for each cable connected to each of the resources ofUDC 200, manufacturer identifiers, model indicators, and/or serialnumbers. Utility controller database 292 also includes an exposurerating value and an asset value for each resource in UDC 200. Asresources in UDC 200 are changed (e.g., reallocated), the information inutility controller database 250 is also changed accordingly (e.g., toreflect the reallocation). Changes to the utility controller database250 can also be used to drive changes to the allocation of resources inUDC 200.

In one embodiment, utility controller database 292 is embodied as acomputer-readable network map. The map can represent a spanning treeconfiguration of the resources included in UDC 200. It is understoodthat such a map need not exist in the form conventionally associatedwith human-readable maps. It is also appreciated that acomputer-readable network map can be synthesized on-the-fly from theinformation stored in utility controller database 292. The network mapcan include information pertaining to each of the computing resources inthe UDC 200 (e.g., configuration attributes, asset value, exposurerating, risk indicator, etc.).

Server 271 includes a network application management platform 273 (e.g.,an open view operation network application management platform) formanaging resources in UDC 200 in accordance with information included inutility database 292. For example, utility controller 272 enables thecreation, deployment, allocation, and management of VLANs. In oneexemplary implementation, utility controller 272 can monitor deployedVLANs, and automatically reallocate resources when there is a reason todo so. In addition, the utility controller 272 monitors sharedinfrastructure resources, alerting NOC 270 of failures or othersignificant events. Utility controller 272 utilizes network applicationmanagement platform 273 to manage resources in UCD 200.

Internal attack assessment component 274 directs creation of thespanning tree representation including asset value indications andexposure ratings. Internal attack assessment component 274 coordinatesthe collection of asset value and exposure ratings for each of thecomponents included in UDC 200 and provides a topological view of therelative risk on an attack on one component or element has on anothercomponent or element of UDC 200. The centralized user friendly efficientcoordination and correlation of the internal attack spread threat to UDC200 as disclosed herein, helps in reducing cost by facilitatingreduction of the number of operators having specialized knowledge ofassociated with each component of included in UDC 200 and the importanceand nature of the functionality provided by those components insupporting various application implementations.

In one embodiment of the present invention, internal attack assessmentcomponent 274 automatically determines asset value indications. In oneexemplary implementation, the asset value indication corresponding tocertain types of applications are maintained (e.g., in a table) and whenan application is selected for deployment in association with componentsof a centralized resource network the asset value indication is assignedto the components. It is appreciated that there is a variety of ways inwhich an asset value can be automatically determined. For example, thenumber of security appliances or applications (e.g., Firewalls, IDScomponents, etc) between a centralized resource network component ornetwork node and a root node can be tracked and components with moreprotection can be assigned a higher asset value. Components usuallyreserved for mission critical applications (e.g., high availabilitycomponents or clusters) and/or particular components (e.g., a databaseserver) can be assigned high asset values. Types of components thatprovide functionality more directed to facilitation of processing ratherthan processing the information directly (e.g., nodes, load balancers,proxy servers, network services) can be assigned a mid range assetvalue. The component size and operating system can be analyzed andassigned an asset value accordingly (e.g., larger size receives higherasset value).

In addition to computer systems and switches, the UCD 200 can includeother types of components such as, but not limited to, routers, loadbalancers, firewalls, and hubs. These other types of devices may also beprogrammable or configurable. Although described primarily in thecontext of UDC 200, the features of the present invention are not solimited. The present invention can be used with a variety of componentsin various configurations.

FIG. 3 is a block diagram of computer system 300, one embodiment of acomputer system on which a present invention security indicationspanning tree system and method can be implemented. For example,computer system 300 can be utilized to implement security indicationspanning tree method 100 and/or Network Operation Center 270. Computersystem 300 includes communication bus 357, processor 351, memory 352,input component 353, bulk storage component 354 (e.g., a disk drive),network communication port 359 and display module 355. Communication bus357 is coupled to central processor 351, memory 352, input component353, bulk storage component 354, network communication port 359 anddisplay module 355.

The components of computer system 300 cooperatively function to providea variety of functions, including performing indication of internalspread threats associated with intrusive attacks in accordance with thepresent invention. Communication bus 357 communicates information.Processor 351 processes information and instructions, includinginstructions for building an attack impact susceptibility spanning treerepresentation including asset value factors. For example, theinstructions can include directions for determining asset value of anetwork node; ascertaining exposure rating of the network node;analyzing impact risk to a preferred functionality due to an attack fromanother network node; and creating a spanning tree schematic of anetwork including the network node, wherein the spanning tree schematicincludes an indication of the asset value. Memory 352 stores informationand instructions, including instructions for building an attack impactsusceptibility spanning tree representation including asset valuefactors. Bulk storage component 354 also provides storage ofinformation. Input component 353 facilitates communication ofinformation to computer system 350. Display module 355 displaysinformation to a user. Network communication port 359 provides acommunication port for communicatively coupling with a network.

FIG. 4 is a block diagram of security indication spanning tree system400 in accordance with one embodiment of the present invention. In oneembodiment security indication spanning tree system 400 is implementedon a computer system (e.g., computer system 300). Security indicationspanning tree system 400 includes internal attack assessment component410 and user interface 490. User Interface 490 provides an userinterface for presenting asset value, exposure rating and risk to a userin a convenient and user friendly presentation. User interface 490 canalso receive user input. Internal attack assessment component 410includes device examination module 411, importance indication module412, internal attack permeability module 413, attack danger assessmentmodule 414, and spanning tree module 415, which can include computerreadable instructions (e.g., software, programmable code, etc). Forexample, security indication spanning tree system 400 can includecomputer readable program code embodied on a computer usable storagemedium, wherein the computer readable program code causes a computersystem to implement security indication spanning tree instructions.

Device examination module 411 examines information regarding devicesincluded in a centralized resource network (e.g., server farm, UDC,etc.). The examination includes ascertaining a device identification(e.g., MAC address, IP address, etc.) and which applications the devicesprovide functional support to. For example, whether a device providesfunctional support for important organization information (e.g., companyinformation) or functional support for a web server.

Importance indication module 412 obtains an indication of the relativeimportance of the functionality provided by the device. For example,functional support for important organization information (e.g., companyinformation) can be more important than functional support for a webserver.

Internal attack permeability module 413 investigates the permeability ofa network in permitting an intern attack on a device from other devicesincluded in the network. In one embodiment the investigating includesanalyzing the ease of attack on the device from other devices in acentralized resource network and assigning an connectivity openness orexposure threshold value to the device based upon the analysis of theease of attack.

Attack danger assessment module 414 assesses the danger of an attackfrom other devices included in the network. In one embodiment of thepresent invention, assessing the danger includes deriving an attackdanger indication based upon the indication of the relative importanceof the device and the exposure threshold value and associating theattack danger indication with the device.

Spanning tree module 415 builds a spanning tree topology representationincluding an indication of the relative importance of the device insupporting applications. For example, the devices operations thatfacilitate application implementation. In one embodiment the relativeimportance of the device is based upon an economic value of functionsthe device performs in support of the applications.

Thus, the present invention security indication spanning tree system andmethod facilitate determination and analysis of intrusive attack spreadthreats from within a network. The security indication spanning treesystem and method provide a comprehensive and convenient spanning treerepresentation including an indication of the correspondence ofcomponent disruption impacts to important applications andsusceptibility of the component to attack from other components within anetwork. The efficient and convenient security indication spanning treeinformation rapidly provides presentation of the relative economic valueof disruptions in a component functionality and the relative likelihoodof an attack spreading to the component. The rapid and accuratepresentation of the information facilitates minimization of human errorswhen attempting to identify important and susceptible centralizedresources during an intrusive attack on a centralized resource network.The information organization provides prioritization of the importanceof a component and an assessment of attack danger. The spanning tree caninclude the asset values for various components within the network. Thespanning tree can also provide an exposure rating that indicates thelikelihood of an attack spreading to other systems in a network (e.g.,server farm, UDC, etc.).

The foregoing descriptions of specific embodiments of the presentinvention have been presented for purposes of illustration anddescription. They are not intended to be exhaustive or to limit theinvention to the precise forms disclosed, and obviously manymodifications and variations are possible in light of the aboveteaching. The embodiments were chosen and described in order to bestexplain the principles of the invention and its practical application,to thereby enable others skilled in the art to best utilize theinvention and various modifications as are suited to the particular usecontemplated. It is intended that the scope of the invention be definedby the Claims appended hereto and their equivalents.

1. A security indication spanning tree method comprising: determiningasset value of a network node; ascertaining exposure rating of saidnetwork node; establishing a functional priority risk indicator forindicating the likelihood of an attack from another network node; andcreating a spanning tree schematic of a network including said networknode, wherein said spanning tree schematic includes an indication ofsaid asset value.
 2. A security indication spanning tree method of claim1 wherein said spanning tree schematic includes an indication of saidexposure rating.
 3. A security indication spanning tree method of claim1 wherein said spanning tree schematic includes an indication of saidattack risk.
 4. A security indication spanning tree method of claim 1wherein said asset value provides an indication of an economic value offunctions provided by said network node.
 5. A security indicationspanning tree method of claim 1 said asset value corresponds to aneconomic impact of a disruption to functionality provided by saidnetwork node.
 6. A security indication spanning tree method of claim 1wherein said exposure rating defines a threshold value corresponding toconnectivity of the network node with other network nodes.
 7. A securityindication spanning tree method of claim 1 wherein said network node isgiven an exposure rating value based upon a connectivity distance from aroot node.
 8. A security indication spanning tree method of claim 1wherein said root node is a node closest to an external network.
 9. Asecurity indication spanning tree method of claim 1 wherein saidfunctional priority risk indicator is associated with an economicbenefit and utility of functionality said network node provides.
 10. Asecurity indication spanning tree system comprising: a bus forcommunicating information; a processor coupled to said bus, saidprocessor for processing said information including instructions forbuilding an attack impact susceptibility spanning tree representationincluding asset value factors; and a memory coupled to said bus, saidmemory for storing said information, including instructions for buildingsaid attack impact susceptibility spanning tree representation includingsaid asset value factors.
 11. A security indication spanning tree systemof claim 10 wherein said asset risk value is automatically determined..12. A security indication spanning tree system of claim 10 furthercomprising a central console for interfacing with a network applicationmanagement platform.
 13. A security indication spanning tree system ofclaim 10 wherein said instructions include attack spread riskdetermination instructions.
 14. A security indication spanning treesystem of claim 10 wherein said instructions include exposure ratingdetermination directions.
 15. A computer usable storage medium havingcomputer readable program code embodied therein for causing a computersystem to implement security indication spanning tree instructionscomprising: a device examination module for examining informationregarding devices included in a centralized resource network, whereinsaid examining includes ascertaining what applications said devicessupport; an importance indication module for obtaining an indication ofa relative importance of functionality provided by said device; and aspanning tree module for building a spanning tree topologyrepresentation including said indication of said relative importance ofsaid device in supporting said applications.
 16. A computer usablestorage medium of claim 15 herein said relative importance of saiddevice is based upon an economic value of functions said devicesperforms in support of said applications.
 17. A computer usable storagemedium of claim 15 further comprising an internal attack permeabilitymodule for investigating the permeability of a network in permitting aninternal attack on a device from other devices included in the network.18. A computer usable storage medium of claim 17 wherein saidinvestigating includes: analyzing the ease of attack on said device fromother devices in said centralized resource network; and assigning anconnectivity threshold value to said device based upon said analysis ofsaid ease of attack.
 19. A computer usable storage medium of claim 15further comprising an attack danger assessment module for assessing thedanger of an attack from other devices included in said network.
 20. Acomputer usable storage medium of claim 19 further comprising: derivingan attack danger indication based upon said indication of said relativeimportance of said device and said connectivity threshold value; andassociating said attack danger indication with said device.